Posts Tagged ‘Unpatched’

Trend Micro has broadened its cloud-based security infrastructure so that its products can receive actionable threat intelligence that lets the security software act like a “virtual shield” against many web-based threats. View full post on Techworld.com security

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients and databases were published by a security researcher who erroneously thought that the company had patched the flaw.

Malware striking Mac computers is making the headlines again, this time exploiting a drive-by vulnerability in Java that has left Apple users dangerously exposed to attack.

The new Mac malware exploits a Java vulnerability (known as CVE-2012-0507), that Apple users are still not patched against.

Apple users won’t feel any consolation at all in the knowledge that their Windows cousins have been protected against the flaw since February.

Sophos security products identify the various components of the Mac malware attack as Exp/20120507-A, Troj/JavaDl-JI, OSX/Dloadr-DMU and OSX/Flshplyr-B – intercepting the threat before it can compromise Mac owners’ computers.

Once again, you’re left to ponder whether having Java installed on your computer is really worth it. Having Java on your PC or Mac may help you run some archaic applications, but it can also dramatically widen the attack surface which hackers can exploit.

My advice is that if you have no real need for Java, remove it.

The latest version of Mac OS X (known as Lion), unlike earlier editions, does not include Java by default, meaning users are not at risk *unless* they have subsequently installed the software.

If you’re not already doing so, run anti-virus software on your Macs. If you’re a home user, there really is no excuse at all as we offer a free anti-virus for Mac consumers.

The Flashback Trojan horse is a fairly recent malware package developed for OS X that attempts to steal personal information by injecting code into Web browsers and other applications on an OS X system. When these programs are then launched, the malicious code attempts to contact remote servers and upload screenshots and other personal information to them.

This malware was initially found in September 2011 while being distributed as a fake Flash Player installer (hence its “Flashback” name). In in the past few months it has evolved to exploiting Java vulnerabilities to targetMac systems.

While the exploits used by recent variants of the Flashback malware have been for older, patched vulnerabilities, over the weekend another variant surfaced that appears to be taking advantage of Java vulnerability (CVE-2012-0507) that currently is unpatched in OS X.

For OS X systems with Java installed, simply visiting a malicious Web site containing the malware will result in one of two installation routes, both of which have been characteristic of prior variants of the malware. First it will ask for an administrator password, and if supplied it will install its payload into target programs within the /Applications folder. However, if no password is supplied, then the malware will still install to the user accounts where it will run in a more global manner.

While Apple does have a built-in malware scanner called XProtect, which will catch some variants of the Flashback malware, this scanner will not detect files being executed by the Java runtime, so these latest Flashback variants bypass this mode of protection.

This shortcoming of XProtect, coupled with Java for OS X currently being unpatched, might be concerning; however, in most cases Mac users should be relatively safe. Starting with OS X 10.6 Snow Leopard, Apple stopped including a Java runtime with OS X, so if you have purchased a new system with OS X 10.6 or later, or have formatted and reinstalled either OS X 10.6 or 10.7, then you will, by default, not be affected by this malware.

However, if you do have Java installed on your system, then for now the only way to prevent this malware from running is to disable Java. This can be done in the Security preferences inSafari, or by unchecking the Java runtime entries in the Java Preferences utility.

Even though new Mac systems cannot be affected by this malware in their default configurations, this development does outline a problem with how threats are handled in cross-platform runtimes such as Java. When vulnerabilities like the one here are discovered, they are often distributed among malware creators via exploit kits like Blackhole, which offer tools and code that make developing malware far easier for the criminals to do.

Because of the availability of these kits, even if the runtime for one platform is patched, then any lag in development for the other platforms (as is the case with Java on OS X) will provide a larger window of opportunity for malware developers to take advantage.

It appears this is exactly what the criminals behind the Flashback malware are doing, and as a result it puts those who use Java at an increased risk.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

“A fully-patched Windows XP computer (with no additional software, such as anti-virus) is compromised within minutes of being put on the internet; meanwhile, vast majority of Macs out there do not even run any antivirus, and have been exposed to the internet for years, without compromise. And almost half of all Windows PCs out there still run Windows XP…

It will be years before that advice (buy Macs, they are much, much more safe) stops being good and sound advice. Until then, whenever a new trojan appears for a Mac (and they appear so rarely, they always make front pages), “

Thats because nobody writes malware and viruses for Macs because there is not as large of a user base, hence, less chance for large profits for attackers. It is never good advice to buy a Mac because they are more safe and don’t need antivirus protection. This is the same reason I run Linux. There is a smaller user base and nobody writes viruses for it. I am not naive enough to say it is safer and I don’t need malware/virus protection (even though you can limit sudo, root, groups, etc…)

BTW, I rejoice every time an Apple user gets infected on their “immune” machine because they took the good advice of an “apple genius” that said, “Macs cannot catch a cold, it is impossible.” LMAO

IDG News Service – A yet-to-be-patched flaw discovered in the Apache HTTP server allows attackers to access protected resources on internal networks if some rewrite rules are not defined properly.

The vulnerability affects Apache installations that operate in reverse proxy mode, a type of configuration used for load balancing, caching and other operations that involve the distribution of resources over multiple servers.

In order to set up Apache HTTPD to run as a reverse proxy, server administrators use specialized modules like mod_proxy and mod_rewrite.

Security researchers from Qualys warn that if certain rules are not configured correctly, attackers can trick servers into performing unauthorized requests to access internal resources.

The problem isn’t new and a vulnerability that allowed similar attacks was addressed back in October. However, while reviewing the patch for it, Qualys researcher Prutha Parikh realized that it can be bypassed due to a bug in the procedure for URI (Uniform Resource Identifier) scheme stripping. The scheme is the URI part that comes before the colon “:” character, such as http, ftp or file.

One relatively common rewrite and proxying rule is “^(.*) http://internal_host$1″, which redirects the request to the machine internal_host. However, if this is used and the server receives, for example, a request for “host::port” (with two colons), the “host:” part is stripped and the rest is appended to http://internal_host in order to forward it internally.

The problem is that in this case, the remaining part is “:port”, therefore transforming the forwarded request into http://internal_host:port, an unintended behavior that can result in the exposure of a protected resource.

In order to mitigate the problem server administrators should add a forward slash before $1 in the rewrite rule, the correct form being “^(.*) http://internal_host/$1″, Parikh said.

The Apache developers are aware of the problem and are currently discussing the best method of fixing it. One possibility would be to strengthen the previous patch in the server code in order to reject such requests, however, there’s no certainty that other bypass methods won’t be discovered.

“We could try improve that fix, but I think it would be simpler to change the translate_name hooks in mod_proxy and mod_rewrite to enforce the requirement in the ‘right’ place,” said Red Hat senior software engineer Joe Orton on the Apache dev mailing list. Orton proposed a patch that is currently being reviewed by the other developers.

WordPress bloggers have a reason to be a little happier in the world with the introduction of its latest version, WordPress 3.2, which comes with a much steeper security update than previous versions. But Chester Wisniewski, of the security site Sophos, still cautions that, “As big a step forward as this is, however, it doesn’t bring web […]